Artificial Neural Networks for Misuse Detection
Abstract:
Misuse detection is the process of attempting to identify instances of network attacks by comparing current activity against the expected actions of an intruder. Most current approaches to misuse detection involve the use of rule-based expert systems to identify indications of known attacks. However, these techniques are less successful in identifying attacks which vary from expected patterns. Artificial neural networks provide the potential to identify and classify network activity based on limited, incomplete, and nonlinear data sources. We present an approach to the process of misuse detection that utilizes the analytical strengths of neural networks, and we provide the results from our preliminary analysis of this approach.
Keywords: Intrusion detection, misuse detection, neural networks, computer security.
1. Introduction
Because of the increasing dependence which companies and government agencies have on their computer networks the importance of protecting these systems from attack is critical. A single intrusion of a computer network can result in the loss or unauthorized utilization or modification of large amounts of data and cause users to question the reliability of all of the information on the network. There are numerous methods of responding to a network intrusion, but they all require the accurate and timely identification of the attack.
This paper presents an analysis of the applicability of neural networks in the identification of instances of external attacks against a network. The results of tests conducted on a neural network, which was designed as a proof-of-concept, are also presented. Finally, the areas of future research that are being conducted in this area are discussed.
1.1 Intrusion Detection Systems
1.1.1 Background
The timely and accurate detection of computer and network system intrusions has always been an elusive goal for system administrators and information security researchers. The
Misuse detection is the process of attempting to identify instances of network attacks by comparing current activity against the expected actions of an intruder. Most current approaches to misuse detection involve the use of rule-based expert systems to identify indications of known attacks. However, these techniques are less successful in identifying attacks which vary from expected patterns. Artificial neural networks provide the potential to identify and classify network activity based on limited, incomplete, and nonlinear data sources. We present an approach to the process of misuse detection that utilizes the analytical strengths of neural networks, and we provide the results from our preliminary analysis of this approach.
Keywords: Intrusion detection, misuse detection, neural networks, computer security.
1. Introduction
Because of the increasing dependence which companies and government agencies have on their computer networks the importance of protecting these systems from attack is critical. A single intrusion of a computer network can result in the loss or unauthorized utilization or modification of large amounts of data and cause users to question the reliability of all of the information on the network. There are numerous methods of responding to a network intrusion, but they all require the accurate and timely identification of the attack.
This paper presents an analysis of the applicability of neural networks in the identification of instances of external attacks against a network. The results of tests conducted on a neural network, which was designed as a proof-of-concept, are also presented. Finally, the areas of future research that are being conducted in this area are discussed.
1.1 Intrusion Detection Systems
1.1.1 Background
The timely and accurate detection of computer and network system intrusions has always been an elusive goal for system administrators and information security researchers. The
References: [1] Anderson, D., Frivold, T. & Valdes, A (May, 1995). Next-generation Intrusion Detection Expert System (NIDES): A Summary [2] Carpenter, G.A. & Grossberg, S. (1987). A Massively Parallel Architecture for a Self- Organizing Neural pattern Recognition Machine [3] Chung, M., Puketza, N., Olsson, R.A., & Mukherjee, B. (1995) Simulating Concurrent Intrusions for Testing Intrusion Detection Systems:Parallelizing [4] Cramer, M., et. al. (1995). New Methods of Intrusion Detection using Control-Loop Measurement [5] Debar, H., Becke, M., & Siboni, D. (1992). A Neural Network Component for an Intrusion Detection System [6] Debar, H. & Dorizzi, B. (1992). An Application of a Recurrent Network to an Intrusion Detection System [7] Denault, M., Gritzalis, D., Karagiannis, D., and Spirakis, P. (1994). Intrusion Detection: Approach and Performance Issues of the SECURENET System [9] Fox, Kevin L., Henning, Rhonda R., and Reed, Jonathan H. (1990). A Neural Network Approach Towards Intrusion Detection [10] Frank, Jeremy. (1994). Artificial Intelligence and Intrusion Detection: Current and Future Directions [11] Fu, L. (1992). A Neural Network Model for Learning Rule-Based Systems. In Proceedings of the International Joint Conference on Neural Networks [12] Hammerstrom, Dan. (June, 1993). Neural Networks At Work. IEEE Spectrum. pp. 26- 53. [13] Helman, P., Liepins, G., and Richards, W. (1992). Foundations of Intrusion Detection. In Proceedings of the Fifth Computer Security Foundations Workshop pp [14] Helman, P. and Liepins, G., (1993). Statistical foundations of audit trail analysis for the detection of computer misuse, IEEE Trans [15] Ilgun, K. (1993). USTAT: A Real-time Intrusion Detection System for UNIX. In Proceedings of the IEEE Symposium on Research in Security and Privacy [16] Kohonen, T. (1995) Self-Organizing Maps. Berlin: Springer. [17] Kumar, S. & Spafford, E. (1994) A Pattern Matching Model for Misuse Intrusion Detection [18] Kumar, S. & Spafford, E. (1995) A Software Architecture to Support Misuse Intrusion Detection [19] Lunt, T.F. (1989). Real-Time Intrusion Detection. Computer Security Journal Vol. VI, Number 1 [20] Mukherjee, B., Heberlein, L.T., Levitt, K.N. (May/June, 1994). Network Intrusion Detection [21] Porras, P. & Neumann, P. (1997). EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances [22] Puketza, N., Chung, M., Olsson, R.A. & Mukherjee, B. (September/October, 1997). A Software Platform for Testing Intrusion Detection Systems [23] Ryan, J., Lin, M., and Miikkulainen, R. (1997). Intrusion Detection with Neural Networks. [24] Sebring, M., Shellhouse, E., Hanna, M. & Whitehurst, R. (1988) Expert Systems in Intrusion Detection: A Case Study [25] Staniford-Chen, S. (1995, May 7). Using Thumbprints to Trace Intruders. UC Davis. [26] Tan, K. (1995). The Application of Neural Networks to UNIX Computer Security. In Proceedings of the IEEE International Conference on Neural Networks, Vol.1 pp [27] Tan, K.M.C & Collie, B.S. (1997). Detection and Classification of TCP/IP Network Services [28] White, G.B., Fisch, E.A., and Pooch, U.W. (January/February 1996).Cooperating Security Managers : A Peer-Based Intrusion Detection System